In a recent post, Securing your application. Part 1 – Securing your connection, Brian Madsen talks about encrypting your database connection string, but fails to mention that using this technique does not stop passing unencrypted passwords over the network to your database server.
Whenever possible, you should use Windows authentication instead of SQL authentication to connect from your ASP.NET application to your database server. You should still consider encrypting your connection string to protect server connection details, such as the server and database name.
For ASP.NET 2.0 applications, you should store connection strings in the <connectionStrings> section of your application’s web.config file. The connection string used with Windows authentication must include either the Trusted_Connection=Yes attribute, or the equivalent attribute Integrated Security=SSPI, as shown here.
<add name="MyDbConn1"
connectionString="Server=MyServer;Database=MyDb;Trusted_Connection=Yes;"/>
<add name="MyDbConn2"
connectionString="Initial Catalog=MyDb;Data Source=MyServer;Integrated Security=SSPI;"/>
The above two strings are equivalent and both result in Windows authentication to the database.
Ref.: How To: Connect to SQL Server Using Windows Authentication in ASP.NET 2.0